Professional Documents
Culture Documents
NARUC Cybersecurity TTX Guide September 2020
NARUC Cybersecurity TTX Guide September 2020
Lynn P. Costantini
Ashton Raffety
September 2020
Disclaimer
This material is based upon work supported by the Department of Energy under Award Number DE-OE0000818.
This report was prepared as an account of work sponsored by an agency of the United States Government.
Neither the United States Government nor any agency thereof, nor any of their employees, makes any
warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would
not infringe privately owned rights. Reference herein to any specific commercial product, process, or
service by trade name, trademark, manufacturer, or otherwise does not necessarily constitute or imply
its endorsement, recommendation, or favoring by the United States Government or any agency thereof.
The views and opinions of authors expressed herein do not necessarily state or reflect those of the United
States Government or any agency thereof.
Acknowledgments
The authors wish to thank the following individuals for contributing their time and expertise to the
development of this guide:
5. Cybersecurity Glossary
The Glossary contains cybersecurity terms used throughout the Cybersecurity Manual, as well as
“terms of art” that utilities may use during discussions with PUCs. (2019)
Components of the Cybersecurity Manual can be used individually but are designed to work together.
NARUC’s intent is to provide a comprehensive set of assessment tools that, when applied, provide a consistent,
complete view of utilities’ cybersecurity preparedness. Figure 1 depicts the complementary, process-oriented
relationship among these components.
Cybersecurity Strategy
Development Guide
Cybersecurity
Cyber Tabletop Cybersecurity
Preparedness:
Exercise Guide Glossary
Questions for Utilities
Cybersecurity
Preparedness
Evaluation Tool
The content of each tool in the Cybersecurity Manual is customizable to meet specific goals, objectives, and
requirements that PUCs have established around cybersecurity and to complement resources developed by
and for utilities and other cybersecurity practitioners. Geared toward nontechnical, policy-oriented users, each
component captures information in sufficient detail to support PUC decision making.
Appendices
A. Example Cybersecurity TTX Scenarios and Injects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
B. Template Cyber TTX Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B-1
C. Template Situation Manual (SitMan - including Agenda and Feedback Form) . . . . . . . . . . C-1
D. Template Exercise Evaluation Guide (EEG) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D-1
E. Template After Action Report/Improvement Plan (AAR/IP) . . . . . . . . . . . . . . . . . . . . . . . . . E-1
F. Other TTX Guide Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F-1
G. Other Support Resources and Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G-1
Exercises provide opportunities for participants to demonstrate and assess capabilities in specific areas
of interest, including cybersecurity risk management. They also facilitate coordination and help clarify
organizational roles and responsibilities.
This Tabletop Exercise (TTX) Guide steps PUCs through the process of creating and executing an exercise
specifically designed to examine capacities and capabilities to plan for, respond to, and recover from a
cybersecurity incident involving critical energy infrastructure. It complements other resources in NARUC’s
Cybersecurity Manual, particularly Understanding Cybersecurity Preparedness: Questions for Utilities, and
the Cybersecurity Preparedness Evaluation Tool.1 Coupled with the TTX Guide, these tools comprise a
structured, process-driven approach to identifying, assessing, and testing the efficacy of utilities’ cyber
risk management plans and practices. This knowledge helps commissions identify cybersecurity gaps, spur
utilities’ adoption of additional mitigation and response strategies, and encourage improvements.
Part I details the steps to plan and execute a TTX. Part II reviews the steps required to conduct a seminar-based
exercise.2 TTXs are discussion based, typically led by a facilitator who guides participants through one or more
scenarios for the purpose of testing the thoroughness and efficacy of relevant plans, processes, and procedures.
This format is well suited for commissions’ objective assessment of utilities’ cybersecurity preparedness as well
as their own cyber incident response capabilities. Seminars, which are also discussion-based exercises, typically
examine a single procedure within a larger plan or a single step in a multistep process.
Types of Exercises
Source: Homeland Security Exercise
A variety of exercise formats exist, from small-scale, discussion- and Evaluation Program (HSEEP)
based events to sophisticated, immersive experiences. The level
of effort, planning timeframes, and expense to build and deliver an exercise is commensurate with the exercise
scope and objectives. Generally, the more sophisticated the exercise, the broader the scope and objectives,
the longer the planning horizon. A full-scale exercise (FSE) could take multiple years to successfully plan while
an in-person TTX could be designed in as little as six months, although more planning time is suggested. A
seminar could be organized in less than three months.
There are two general categories of exercises: discussion-based and operations-based. Discussion-based
exercises bring participants together in low-stress environments to talk about their existing plans, processes,
and response capabilities, usually in reference to a hypothetical scenario. Designing a discussion-based cyber-
security exercise is not overly burdensome and does not necessarily require specialized cybersecurity
knowledge. Conversely, operations-based exercises are high stress and resource intensive. They usually require
participants to mobilize to a simulated event in real time using real equipment. The focus of operations-based
exercises is practice, skills development, and coordination of effort.
Several different exercise formats exist within each category. For reference, each format is described below.
Discussion-based Exercises:3
• Seminar—Seminars are lecture-based exercises that orient participants to provide an overview of a
strategy, plan, policy, or procedure. Seminars are especially useful when an entity has developed a new
plan or made changes to existing plans or procedures.
• Workshop—Typically small-group, interactive exercises that focus on idea generation or validation. Built
around in-depth, issue-driven discussions, workshops encourage collaboration and joint decision making,
which are essential to obtaining consensus and producing effective plans and procedures.
• Tabletop Exercise (TTX)—TTXs bring key stakeholders together to work through a scenario for the
purpose of testing preplanned actions. This format facilitates a holistic view of strategies and tactics, and
allows participants to assess sufficiency and effectiveness, identify gaps, and suggest improvements.
• Game—Games provide a simulation of operations that often involves two or more teams (e.g., red team/
blue team), usually in a competitive environment, using rules, data, and procedures designed to depict
an actual or hypothetical situation. These exercises are useful for identifying key operational decision
points and exploring the consequences of decisions on play, which help to refine plans and procedures.
The informal, low-pressure environment encourages creative problem solving.
Operations-based Exercises:4
• Drill—A drill is a coordinated, supervised activity usually employed to validate a specific function or
capability in a single organization. Drills are commonly used to provide training on tasks specific to new
equipment or procedures, to introduce or validate procedures, or to practice and maintain current skills.
• Functional Exercise (FE)—FEs are designed to validate and evaluate capabilities, multiple functions and/or
sub-functions, or interdependent groups of functions. FEs are typically focused on exercising plans, policies,
procedures, and staff members involved in management, direction, command, and control functions.
Figure 3. Exercise Cycle An extension of the Preparedness Cycle (Figure 2), the Exercise Cycle
(Figure 3) depicts the continuous learning that naturally occurs when
Preparedness planning and conducting an exercise. Within an organization’s exercise
Cycle
program, there is an endless cycle of designing and developing,
conducting, evaluating, and improving exercises and emergency response
capabilities. Each step of the cycle is influenced by the preceding step
and influences the following. After an exercise is considered complete,
the findings and lessons learned, captured in the After Action Report/
Improvement Plan (AAR/IP), inform the design and development of the
next exercise.
Exercise Objectives
After completing the preplanning process, a commission can move into the planning portion of the exercise.
This begins with the selection of objectives for the cyber TTX, which should focus on the core capabilities
specific to the needs of PUCs during a cyber event (i.e., focus on what the PUC wants to test). Objectives
may be informed by the commission’s cybersecurity strategy or past cybersecurity incidents. Three strong
objectives would be a reasonable number to test during a simple half-day TTX. Because commissions face
different realities and have varying priorities and resources, each commission benefits from tailoring objectives
according to their cybersecurity strategy.5
Topical areas for objectives include, but are not limited to, the following:
• Public Affairs • Supporting Service Restoration
• Information Sharing • Supporting Recovery
• Situational Awareness • Supporting State Emergency Response
The commission may also want to consider making the objectives “SMART”, meaning specific, measurable,
achievable, relevant, and time-bound. Each guideline is defined below.6
Specific Objectives should address the five Ws: who, what, when, where, and why.
The objective specifies what needs to be done with a timeline for completion.
Measurable Objectives should include numeric or descriptive measures that define quantity,
quality, cost, and so on. Their focus should be on observable actions and outcomes.
Achievable Objectives should be within the control, influence, and resources of exercise play
and participant actions.
Relevant Objectives should be instrumental to the mission of the organization and link to its
goals or strategic intent.
Time-Bound A specified and reasonable timeframe should be incorporated into all objectives.
5 If your commission does not have a cybersecurity strategy, NARUC’s recently published Cybersecurity Strategy Development Guide
can be used to develop one. If your commission has cyber response plans, or is part of the state’s cyber response plan or Cyber
Annex, objectives may include testing specific portions or expectations within those plans. Cybersecurity Strategy Development
Guide: https://pubs.naruc.org/pub/8C1D5CDD-A2C8-DA11-6DF8-FCC89B5A3204
6 IS-120.C: An Introduction to Exercises: https://emilms.fema.gov/IS0120c/groups/84.html
• Following notification of a cyber incident on energy infrastructure with physical consequences, identify
applicable capabilities, and associated authorities, the PUC can employ in response.
• Throughout the exercise, examine state and federal government roles, responsibilities, authorities, and
actions that would be used during a cyber incident and identify gaps (if any).
• Following a cyber incident on energy infrastructure, review the ability of the PUC to utilize state, regional,
and national communication networks in a timely manner to coordinate unity of effort and unity of message.
Each of the above objectives identifies specific problems, is measurable (via the usage of evaluators),
achievable, relevant to examining responses to a cyber emergency, and defines a time period. By designing
objectives to be “SMART”, commissions may parse out the significant issues they would like to resolve and
turn them into viable objectives. All objectives should be evaluated for success following exercise conduct.
A significant component of TTXs is building valuable connections between the public and private sectors,
so relationships are proactively established in the event of a real incident. However, commissions should be
mindful of inviting too many stakeholders because it could result in a less focused and productive exercise.
Finding the balance between too many exercise participants and too few is part of the art of exercise design.
Planning Team: Having established your Exercise Leadership Team and stakeholders, the Exercise Leadership
Team can now build a Planning Team for in-depth planning of the exercise. The Planning Team should compose
of the Exercise Leadership Team and representatives from stakeholder organizations. Individuals in those groups
that have been, or will likely be, involved in response to a real-world cyber incident are important to include
on the Planning Team. The size of your Planning Team depends on the number of stakeholders invited to
participate. For each external organization invited to participate, at least one individual from that organization
should participate on the Planning Team. Other than stakeholder organizations and the Exercise Leadership
Team, you may want to include the other individuals from the PUC as necessary, including but not limited to:
The Lead Designer (a member of the Exercise Leadership Team) is primarily responsible for the exercise
design. The Planning Team’s primary role is to advise and validate the development of the exercise scenario/
injects and objectives. Typically, the Exercise Leadership Team presents the Planning Team with their ideas
during planning meetings (discussed below) and asks for input. Changes are then made based on feedback,
informing the design and creation of the cyber TTX.
Facilitation Team: The Leadership Team is responsible for either identifying, hiring, or acting as the Facilitation
Team. Throughout exercise conduct, the Facilitation Team leads participants through the exercise experience,
including recording notes and collecting information that is used to evaluate whether the exercise objectives
were reached.
• Co-Facilitator(s): The Co-Facilitator(s) assists the Lead Facilitator and may present portions of the
scenario along with the Lead Facilitator.
• Evaluator(s): Throughout the exercise, evaluators record participant progress on objectives and major
discussion points using the Exercise Evaluation Guide (EEG). A template EEG is provided in Appendix D.
• Scribe: While Evaluator(s) record notes relevant to addressing the exercise objectives, the Scribe focuses
on general notetaking (which is useful for Evaluators post-exercise), including a record of attendees. Note:
It may be advisable to have participants discuss and agree in advance, in the planning stages, on what
information to record during the exercise, who gets the recordings and reports, and what information
ultimately gets shared regarding the exercise.
During this meeting, the Exercise Leads should ask for input on who should participate in the exercise
from the Planning Team. Participant selection can continue after this meeting, but PUCs may need to
be mindful of having too many participants in the planning process.
• Timeline: Three Months Before Exercise9
• Participants: Exercise Leadership Team/Planning Team/Facilitation Team
• Final Planning Meeting (FPM): The FPM is the final meeting of the TTX planning process. During this
meeting, the Exercise Leadership Team asks for feedback from the Planning Team on all draft documents
used to drive exercise play. Final changes to the scenario should be complete before the FPM so edits can
be discussed and agreed upon during the FPM. At this meeting, the Resource/Logistics Lead confirms
any outstanding logistical issues.
• Timeline: One Month Before Exercise
• Participants: Exercise Leadership Team/Planning Team/Facilitation Team
Commissions should note that a great deal of the discussion concerning exercise design topics can occur in
between the above meetings. The suggestions above are meant to serve as guideposts for commissions. It
may be necessary for the Planning Team to meet more frequently as exercise design is an iterative process.
Review Plans
A review of cyber emergency plans may occur earlier on in the process when the Exercise Leadership Team
is designing their objectives and goals for the scenario. Still, it is a vital part of exercise design. Planners
should review all relevant plans and policies related to incident response, recovery, or other activities to be
explored in the scenario. Relevant plans include internal PUC procedures and stakeholder plans that would
help drive exercise play. By reviewing cyber incident response and recovery plans, the Planning Team has an
understanding of how the response structure for a cyber emergency is supposed to work, which provides
valuable information on what capabilities should be tested during the TTX. Evaluators begin shaping the
criteria on which they evaluate the exercise based on the plans or procedures utilized during exercise conduct.
• The conditions allowing players to demonstrate their ability to meet exercise objectives;
• The technical details necessary to accurately depict scenario conditions and events (e.g., the date and
time of event and damage resulting from the event); and
While developing the scenario, everyone should keep the above elements in mind, as well as what sort of
disruptive elements participants experience during the scenario. All of these elements should be developed
by the Exercise Leadership Team and presented at the IPM, where feedback should be collected from the
Planning Team. Example scenarios are in Appendix E.
The elements or information introduced in each inject should complement the commission’s exercise
objectives and the core capabilities that it would like to see tested. Following each inject, a facilitator typically
asks discussion questions to drive participants toward the core items within the exercise objectives. Example
scenarios, injects, and discussion questions are in Appendix A.
Development of EEG
During the exercise, the Lead Evaluator evaluates whether objectives have been accomplished. Commissions
may want evaluators to develop an EEG to ensure that the PUC is meeting its goals and staying on track with
its objectives throughout the exercise design process. EEGs accomplish the following:12
• Streamline data collection during the exercise (consider sensitive information and how to avoid bringing
it into the exercise or protecting it if deemed critical);
• Help organizations map exercise results to exercise objectives, core capabilities, capability targets, and
critical tasks for further analysis and assessment.
There may be a variety of ways to meet all of these above targets, and they likely vary based on each
commission’s goals and priorities. It may be useful to apply SMART principles to each of the above bullets
Exercise Venue
A Cyber TTX should follow standard practice for meeting logistics. For example, consider venue size, food,
and refreshments required, as well as ensuring breaks are scheduled to encourage networking and discussion.
It is important to choose a venue that has space for all participants, staff, and observers to move about and
have separate discussions without noise becoming a distraction. For more advanced exercises, it may also be
useful to have smaller breakout rooms where participants can have more in-depth conversations concerning
the exercise or to network with one another.
An in-person Cyber TTX should not require any special equipment or materials since it is a discussion-based
exercise. Concerning equipment, audio/video capabilities to display a slide deck or video will likely be the
only equipment needed. Video telecommunication abilities may be needed if some individuals join the TTX
remotely. Before the exercise, the Leadership Team should visit the venue space to ensure bathrooms and
emergency exit locations are known and clearly labeled for participants (create signage if necessary). An initial
run of the entire exercise may also be useful to address any problems that occur.
If the TTX is conducted virtually or with a remote play option, a conferencing system or virtual meeting software
is necessary. The chosen platform should be thoroughly tested before the exercise, including all features that
may confuse a non-expert user. To ensure that the TTX runs smoothly, someone should be responsible for
addressing technical issues if they arise during the exercise.
Pre-reading Materials
To facilitate active participation in the exercise, provide pre-reading materials to participants to ensure that all
players start with an equal base-level of knowledge. Reading materials beforehand allows them to focus on
building relationships through interactions, rather than passively reading during exercise conduct. Pre-reading
materials could include:
1. Logistical information (parking instructions, building access instructions, dress code, etc.)
2. The Situation Manual (SitMan)
3. Your State’s Energy Assurance Plan, State Emergency Operations Plan, and/or Cyber Emergency Response
Annex
4. Brief biographies of the Exercise Facilitator(s), Evaluators, and Scribe (and Exercise Leadership Team
if different).
5. Previously developed energy risk profiles of the state/region13
6. PowerPoint used during the exercise (if applicable)
7. Copies of the EEG should be sent to evaluators before exercise conduct.
Hot Wash
Immediately following completion of the exercise, the Exercise Team can hold a “Hot Wash”. A Hot Wash
allows participants to provide feedback on how they thought the exercise progressed and how they performed.
Exercise strengths and areas that may need improvement are usually also discussed during this session. The
Hot Wash may be led by the Lead Facilitator, who ensures that discussion points remain on topic and relevant
to the objectives and goals laid out by the commission at the beginning of the exercise. Evaluators may use
the information collected from the Hot Wash to inform the AAR/IP. The Hot Wash likely provides the Exercise
Leadership Team with ideas to improve subsequent exercises. A template Hot Wash Discussion Form for
evaluators to utilize is included in the template EEG (Appendix D).
Step 8: Evaluation
The first evaluation takes place in the form of a Hot Wash immediately after the exercise. At a later date,
the Exercise Leadership Team and Facilitation Team debriefs among themselves to determine whether the
exercise objectives were accomplished. If necessary, a data analysis phase takes place, then an AAR/IP is
developed and validated through an AAM.
Data Analysis
During the analysis phase, evaluators and the Scribe consolidate data collected during and after the exercise
to identify strengths, challenges, and other observations to determine if the exercise objectives were met.
Evaluators can conduct this task by finding the root cause or origin of each challenge. This is known as Root Cause
The document typically includes corrective actions, which are actionable, achievable, and identify a responsible
party and completion date. Corrective actions form the backbone of this process and highlight ways that
commissions can improve their response to various forms of cyber emergencies.
Although not exhaustive, the Exercise Leadership Team may wish to use the following questions during
discussions on developing corrective actions:16
Once the AAR/IP is drafted, it can be distributed to the Planning Team (and possibly other stakeholders) for
review before the AAM.
Note: Caution should be taken regarding the evaluation and the possible identification of risks,
weaknesses, and response plan shortcomings. Each organization may be assigned different
responsibilities for addressing any such discoveries. However, commissions may want to be mindful
of releasing any of these weaknesses into the public via the AAR/IP. Malicious actors could potentially
capitalize on vulnerabilities identified within the AAR/IP.
Contrasted to a TTX, a seminar is less complicated to plan and conduct. A seminar typically takes place
around a conference table with 10 to 15 individuals working through a document and discussing its real-world
application, but could include even less or more individuals depending on the type of material reviewed and
the number of relevant stakeholders involved.
It is essential to note the difference between a seminar and a workshop. While similar and many professionals use
the terms interchangeably, the main difference is the intention of the gathering. While seminars can inform updates
to an existing document or plan, the primary purpose is to provide and clarify information and expectations
between stakeholders about existing documents and protocols. The primary intention of a workshop is to formally
bring stakeholders together to create or edit plans, procedures, or agreements with consensus.
• After working through these questions with a utility, you can analyze the information received using
NARUC’s CPET.18 The CPET provides commissions with a simple, easy-to-apply tool to evaluate
the maturity of a utility’s cybersecurity program. By regularly engaging with utilities (e.g., annually,
semiannually) using the Questions for Utilities and analyzing the information received using the
CPET, commissions can assess the year-over-year change in cybersecurity preparedness of individual
utilities. This practice would promote continuous improvement.
• Key State Officials (State Energy Office, Emergency Management Agency, Governor’s Office Representatives,
Transportation Agency, IT Officials, State Homeland Security Office, Fusion Center, National Guard Cyber
Unit, State Administration Agency)
• Utility Owners/Operators (electricity, natural gas, petroleum, communications, water, non-regulated utilities)
• Federal Partners (U.S. Department of Energy (including power administrations), U.S. Department of
Homeland Security, Federal Emergency Management Agency, Federal Bureau of Investigation, etc.)
• Non-Governmental Organizations (i.e., the Red Cross, other disaster response groups)
• Key local government officials
• Tribal Nations
• First Responders
Seminar Roles
• Opening Speaker: Consider inviting a commissioner or another prominent leader to make brief opening
remarks. Opening remarks can highlight the importance of preparation and provide an overview of the
seminar’s goals. The opening speaker does not need to stay for the duration of the seminar if they are
not integral to the conversation.
• Facilitator: The seminar facilitator should be someone with authority on the document planned for
discussion. This person is responsible for facilitating dialogue and prompting seminar participants when
appropriate. Examples:
• If NARUC’s “Questions for Utilities” is discussed, the PUCs Cybersecurity Director may lead the
discussion and prompt utilities for additional details as appropriate.
• If an EAP/Cyber Annex is discussed, the ESF-12 lead may facilitate the discussion and prompt other
agencies to describe their cybersecurity roles during an incident.
• Scribe: The Scribe should take notes throughout the seminar to capture major discussion items. Notes
do not need to be overly detailed and should not identify specific individuals.
1. Logistical information (parking instructions, building access instructions, dress code, etc.)
2. Your State’s Energy Assurance Plan, State Emergency Operations Plan, and/or Cyber Emergency Response
Annex
3. Brief biographies of key participants
4. Previously developed energy risk profiles of the state/region20
5. PowerPoint that will be used (if applicable)
• Inject 1 [9:00 AM]: It is seemingly a typical day at the commission, and operations are running smoothly.
However, the PUC’s IT department notices a series of abnormal spikes in activity within one of their
systems. The peaks are initially dismissed as routine fluctuations, and the day continues as usual.
• Discussion Question: What protocol or precedence exists for suspicious internal network
abnormalities?
• Inject 2 [12:00 PM]: A few hours later, the commission’s website crashes due to a high volume of traffic.
The PUC’s IT department realizes that the commission is currently under a Distributed Denial of Service
(DDOS) attack, explaining the abnormal fluctuations from earlier.
• Discussion Question: What would the PUCs communications/public affairs department do in this
scenario?
• Inject 3 [3:00 PM]: Three hours after the initial discovery of the DDOS attack, a commission staffer
receives an email claiming to be a hacker. The hacker states that they will continue to execute daily DDOS
attacks on the commission unless the PUC pays them. To make matters worse, the hacker claims to have
access to Personally Identifiable Information (PII) from employees and customers and demand payment.
If you do not pay, the hacker threatens to release the PII publicly. The hacker copies members of the press
on the email.
• Discussion Question: What state/federal partners would you contact to help address the situation?
• Inject 1 [10:00 AM, June 1]: the FBI issues a Private Industry Notification (PIN), TLP Amber22, based on
information received from several water utilities across the country. The PIN notes that malicious actors
are utilizing phishing techniques to send personal emails with files embedded with malware. The actors
appear to focus on access to operational systems and SCADA.
• Discussion Question: What is your degree of concern at this point? Are there any actions that need
to happen now?
• Inject 2 [11:00 AM, June 3]: An employee at a private utility water plant opens an email addressed to
them from an apparent vendor with a PDF attachment invoice. The employee opens the PDF and deletes
the email after viewing the PDF. About an hour later, other plant personnel investigate a strong chlorine
smell and determine that an excessive amount of chlorine was released into the treatment system during
the disinfection process. However, SCADA and PLCs are not indicating any problems. Plant operators
• Inject 3 [2:00 PM, June 3]: Due to the loss of control of the chlorine feed and control of the SCADA
and operations systems, the company shuts the plant down and issues do-not-consume and water
conservation notices.
• Discussion Question: If the water company issues a “do-not-consume” notice, what type of public
messaging needs to come from which state agency?
• Inject 4 [4:00 PM, June 3]: A separate water system in another part of the state reports to the state
emergency management agency that a successful phishing attack conducted reconnaissance on control
systems, but was mitigated by IT staff before it migrated to the control systems.
• Discussion Question: How would this information be shared with other water utilities and other
critical infrastructure sectors to warn of a potential threat?
The Centers for Disease Control and Prevention (CDC) previously made a public announcement that an
unknown and contagious disease is infecting about 1,000 people per day within the United States. The CDC
advises citizens to wear protective face masks and avoid public/crowded spaces until further notice. The
CDC also recommends that Governors issue shelter-in-place orders to temporarily close restaurants and other
public places prone to crowding.
• Inject 1 [10:00 AM, Friday]: Based on CDC recommendations, XYZ Utility is limiting the number of
employees in the office at any given time to 25% capacity, and all other employees are required to work
from home. All employees have work laptops.
• Discussion Question: Do protocols/technologies exist for secure remote connections? If so, how
are employees trained?
• Inject 2: Strains on the utility’s remote access network have caused utility employees to become frustrated
with loading speeds of their email and other work applications. Many employees start accessing their
work emails from their personal computers, not connected to the utility’s VPN network. The utility’s IT
team would usually notice suspicious IP addresses accessing their system. But, due to the unusual work
from home rule, they do not limit employees from accessing their work from their personal computers.
• Discussion Question: At any given moment, how many employees can access the network
remotely? Do you have the ability to increase this capacity if necessary?
• Inject 3 [8:00 AM, Monday]: Over the weekend, there was a large number of unusual IP addresses
accessing the utility’s network, even more so than when employees were utilizing their personal computers.
IT then discovered that the PII was accessed and copied by an unauthorized user. The IT department
immediately reports this breach to their Chief Information Security Officer (CISO).
• Discussion Question: Is there a protocol for notifying individuals that their PII was compromised?
Conduct
7. Exercise Conduct (and logistics)
[Exercise Name]
Situation Manual
[Date]
This Situation Manual provides the run-of-show for a Cybersecurity Tabletop Exercise (TTX) conducted by
[Commission Name] on [Date of Exercise] with [List Other Participants]. This document describes the
exercise’s background and purpose, as well as the functional aspects of the exercise. Due to the sensitive
nature of the topics being discussed, this manual is designated as For Official Use Only (FOUO), and may not
be distributed without written permission from [Name].
The [Exercise Name] Situation Manual (SitMan) provides exercise participants with all the necessary tools for
their role(s) in the exercise and is evidence of [Commission Name]’s commitment to protecting the State of
[State] and critical infrastructure sectors from cyber-attacks.
[Exercise Name] is an unclassified but For Official Use Only (FOUO) exercise. Sensitive topics may be discussed
that are not permitted to be disclosed publicly under [reference authority]. Some exercise material is intended
for the exclusive use of exercise planners, facilitators, and evaluators, but players may view other materials that
are necessary to their performance. All exercise participants may view the SitMan.
• If the exercise requires the transmittal of information via email or other written communications, “Exercise,
Exercise, Exercise” should appear at the top of the message to avoid confusion with real-world events.
• When communicating with other exercise participants in-person, you are free to immerse yourself in the
simulated events without regularly defining that they are partaking in an exercise. If information needs
to be shared about a real-world emergency, participants should preface the information by saying “time
out from the exercise” and use their hands to create a capital “T”. To resume exercise play after the real-
world emergency information was addressed, you can say “resuming exercise.” This will avoid confusion
among exercise participants about what is real and what is simulated.
After these functional group discussions, participants will engage in a facilitated group discussion in which a
spokesperson from each functional group will present a synopsis of the group’s actions, based on the scenario.
From here, the entire group will discuss how each organization’s actions impact one another and what type of
coordination may need to take place.
Exercise Guidelines
• This is an open, low-stress, no-fault environment. The discussions will explore the policies, decisions,
actions, and key relevant issues, which will require participants to respect the observations, opinions, and
perspectives of others.
• Treat the scenario incidents as real. (i.e., don’t fight the exercise)
27 https://www.fema.gov/media-library-data/1582669862650-94efb02c8373e28cadf57413ef293ac6/Homeland-Security-Exercise-and-
Evaluation-Program-Doctrine-2020-Revision-2-2-25.pdf
• Issue identification is not as valuable as suggestions and recommended actions that could improve
response and preparedness efforts. Problem-solving efforts should be the focus.
• Keep the time constraints in mind and comments focused, where possible.
Exercise Assumptions
In any exercise, several assumptions and artificialities may be necessary to complete play in the time allotted.
During this exercise, the following apply:
• When possible, discussions and decision-making should be informed, first, by active plans, policies, and
procedures outlined in the [Energy Assurance Plan or State Emergency Operations Plan and/or Cyber
Annex]. If this presents an obstacle for the group as it progresses through the inject, discussions and
decision-making can be hypothetical and based on group consensus when possible.
Key Issues
• [e.g., the IT Director is on vacation and unreachable]
• [Insert other key issues]
Questions
Based on the information provided, participate in the
discussion concerning the issues raised in Inject 1. Identify
any additional requirements, critical issues, decisions, or
questions that should be addressed at this time.
The following questions are provided as suggested general subjects that you may wish to address as the
discussion progresses. These questions are not meant to constitute a definitive list of concerns to be addressed,
nor is there a requirement to address every question.
Key Issues
• [e.g., the IT Director is on vacation and unreachable]
• [Insert other key issues]
Questions
Based on the information provided, participate in the
discussion concerning the issues raised in Inject 2. Identify
any additional requirements, critical issues, decisions, or
questions that should be addressed at this time.
The following questions are provided as suggested general subjects that you may wish to address as the
discussion progresses. These questions are not meant to constitute a definitive list of concerns to be addressed,
nor is there a requirement to address every question.
Key Issues
• [e.g., the IT Director is on vacation and unreachable]
• [Insert other key issues]
Questions
Based on the information provided, participate in the
discussion concerning the issues raised in Inject 3. Identify
any additional requirements, critical issues, decisions, or
questions that should be addressed at this time.
The following questions are provided as suggested general subjects that you may wish to address as the
discussion progresses. These questions are not meant to constitute a definitive list of concerns to be addressed,
nor is there a requirement to address every question.
Identify the action steps that should be taken to address the issues identified above. For each action step,
indicate if it is a high, medium, or low priority.
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
Describe the action steps that should be taken in your area of responsibility. Who should be assigned
responsibility for each action item?
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
List the policies, plans, and procedures that should be reviewed, revised, or developed. Indicate the priority
level for each.
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
Is there anything you saw in the exercise that the evaluator(s) might not have been able to experience, observe,
and/or record?
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
_____________________________________________________________________________________________________
Location: Date:
Objective: [e.g., Following notification of a cyber incident affecting energy infrastructure with physical
consequences, identify applicable capabilities, and associated authorities, the PUC can employ in response.]
Observations of Capabilities that Address the Objective Time of Observation
(can be positive or negative):
1. [e.g., Jane, XYZ Commission staffer, discovered that a malicious cyber actor [e.g., immediately
had gained control of XYZ Utility’s SCADA system, then convened ESF #12 after the PUC became
responders within the state to brief on the situation] aware of the incident]
[e.g., John Doe, a Cyber Analyst for XYZ Utility, discovered a cybersecurity [e.g., 10:00 AM,
breach, then texted his boss about it. His boss responded right away and one hour after the
informed the state’s emergency management agency (EMA). The EMA discovery of the
immediately informed the PUC as the ESF #12 lead.] incident]
2.
3.
1.
2.
3.
1.
2.
3.
1.
2.
3.
1.
2.
3.
[i.e., Write a general chronological narrative of responder actions based on evaluator(s) observations
during the exercise. Provide an overview of observations and, specifically, discuss how particular
capabilities were carried out during the exercise, referencing specific tasks where applicable. The
narrative provided will influence the After-Action Report/Improvement Plan (AAR/IP). If appropriate, make
recommendations for improvement for each observation.
[Exercise Name]
After Action Report/Improvement Plan
[Date]
This After-Action Report/Improvement Plan (AAR/IP) is based on a Cybersecurity Tabletop Exercise (TTX)
conducted by [Commission Name] on [Date of Exercise] with [List Other Participants]. This report provides an
overview of the goals/objectives of the exercise, describes the scenario used to test capabilities, and suggests
corrective actions to improve [Insert Based on Objectives]. Due to the sensitive nature of the topics being
discussed, this report is designated as For Official Use Only (FOUO), and may not be distributed without
written permission from [Name].
Objective(s) [Objective 1]
[Objective 2]
[Objective 3]
[Description of key findings based on the exercise (i.e., What worked? What didn’t work? Why or why not?)]
[Objective 1]
[Objective 2]
[Objective 3]
Performed without Challenges (P): The targets and critical tasks associated with the preparedness
capability were completed in a manner that achieved the objective(s) and did not negatively impact the
performance of other activities. The performance of this activity did not contribute to additional health
and/or safety risks for the public or emergency workers, and it was conducted in accordance with
applicable plans, policies, procedures, regulations, and laws.
Performed with Some Challenges (S): The targets and critical tasks associated with the preparedness
capability were completed in a manner that achieved the objective(s) and did not negatively impact the
performance of other activities. The performance of this activity did not contribute to additional health
and/or safety risks for the public or emergency workers, and it was conducted in accordance
with applicable plans, policies, procedures, regulations, and laws. However, opportunities to enhance
effectiveness and/or efficiency were identified.
Performed with Major Challenges (M): The targets and critical tasks associated with the preparedness
capability were completed in a manner that achieved the objective(s), but some or all of the following were
observed: demonstrated performance had a negative impact on the performance of other activities;
contributed to additional health and/or safety risks for the public or emergency workers; and/or was not
conducted in accordance with applicable plans, policies, procedures, regulations, and laws.
Unable to be Performed (U): The targets and critical tasks associated with the preparedness capability
were not performed in a manner that achieved the objective(s).
Strengths:
• [List strengths]
Strengths:
• [List strengths]
Strengths:
• [List strengths]
29 HSEEP: https://www.fema.gov/media-library-data/1582669862650-94efb02c8373e28cadf57413ef293ac6/Homeland-Security-Exercise-
and-Evaluation-Program-Doctrine-2020-Revision-2-2-25.pdf
30 Emergency Planning Exercises: https://www.fema.gov/emergency-planning-exercises
31 DHS Cybersecurity Services Catalog for SLTT Governments:
https://www.us-cert.gov/sites/default/files/c3vp/sltt/SLTT_Hands_On_Support.pdf
32 https://www.epa.gov/waterresiliencetraining/develop-and-conduct-water-resilience-tabletop-exercise-water-utilities
33 COVID-19 Recovery CTEP: https://www.cisa.gov/publication/covid-19-recovery-ctep-documents
• Reach out to your state’s Emergency Management Agency, State Administrative Agency, Governor’s
Office, or other agency as appropriate and inquire about available funding to conduct a TTX focused on
cybersecurity. If funding is available, possibly federal funding through a specified state agency, it could
be used to hire professional assistance, such as facilitators, evaluators, scribes, cybersecurity SMEs, or
secure an off-site venue.
• The Federal Emergency Management Agency’s (FEMA) Emergency Management Institute (EMI) conducts
Virtual Tabletop Exercises (VTTX) using a video teleconference (VTC) platform to reach community-based
training audiences around the country. The VTTX process involves key personnel from the emergency
management community of practice reviewing a prepackaged set of exercise materials, then convening for
a 4-hour TTX discussing a simulated disaster scenario with a total of 10 to 15 individual sites participating.
The event allows the connected sites to assess current plans, policies, and procedures while learning from
the other participants. A VTC system is required for participation; there is no cost for this program. Find
additional information here: https://training.fema.gov/programs/emivttx.aspx.
• A source of financial support could come from the federal government in the form of Energy Emergency
Preparation Grants (EMPG) or the Homeland Security Grant Program (HSGP). These grants may be used
to conduct a cybersecurity exercise. Commission staff can check with their state governor’s office to
determine if they have access to these funds.
• EMPGs are issued by FEMA and can be used to conduct a national security exercise. However, only
state Emergency Management Agencies and State Administrative Agencies (SAA) can apply for
these grants; a commission cannot directly apply.34 Commission staff may wish to speak with their
SAA or state emergency management agency to find out what funds are available and how they
may access them.
• The HSGP provides support to enhance the ability of state, local, tribal, and territorial (SLTT)
governments, as well as nonprofits, to prevent, protect against, respond to, and recover from terrorist
attacks. HSGP is composed of three grants programs, including the State Homeland Security Grant
Program (SHSP), the Urban Area Security Initiative (UASI), and Operation Stonegarden (OPSG).
State Administrative Agencies (SAA) are the only entities eligible to apply for HSGP grants.35
• UASI assists high-threat, high-density urban areas to build and sustain the capabilities necessary
to prevent, protect against, mitigate, respond to, and recover from terrorist attacks.
• OPSG supports enhanced cooperation and coordination among Customs and Border
Protection, U.S. Border Patrol, and local, tribal, territorial, state, and federal law enforcement
agencies.”36
• State emergency management agencies typically have 5-year exercise planning calendars and
annual coordination meetings in conjunction with the HSGP activities. Commissions may consider
contacting state emergency management about participating in that process and working with
other agencies to develop a cyber TTX.
• Commissions may also consider working with their Department of Homeland Security (DHS) regional
Protective Security Advisors on accessing any available federal support for a cyber exercise.
• Open to PUCs and conducted biennially, GridEx is a grid security exercise series sponsored by the North
American Electric Reliability Corporation’s Electricity Information Sharing and Analysis Center.37 The
GridEx exercise series focuses on cyber and physical disruptions to the bulk power system. Commissions
should contact stakeholders within their state and inquire about collaboratively participating in future
GridEx exercises.
36 Department of Homeland Security Preparedness Grants: A Summary and Issues, p. 5–6: https://fas.org/sgp/crs/homesec/R44669.pdf
37 GridEx: https://www.nerc.com/pa/CI/CIPOutreach/Pages/GridEx.aspx